I like to MOVEit, MOVEit -  UPDATE

I like to MOVEit, MOVEit - UPDATE

July 13, 2023 - Update

  • Organizations impacted: 287
  • Individuals impacted: 18,154,787*
  • *Only 50 organizations have disclosed the number of individuals their breach impacted.

July 4, 2023 - Update

The current victim list is massive and growing, and Clop continues to share new entries every day, which begs the question, how many companies have actually been affected by this attack? Some victims have publicly announced their involvement in the breach, other have simply been named by Clop themselves. We’ll be following this attack closely and updating this blog with new information as the story unfolds.

Let’s take a look at the 124 victims that have been announced as of July 4, 2023, 9:33CDT:

University of Rochester, based in Rochester, New York

Austrian Finance Market Authority

Zellis, UK based software development company

Government of Nova Scotia

BORN Ontario, healthcare organization in Canada

Extreme Networks, US based software development company

Synlab, French medical diagnostic service provider

Government?of Illinois

Minnesota Department of Education

HSE, public health service in Ireland

Landal Greenparks, European holiday facilities

Ofcom, UK’s media watchdog

Ernst & Young (EY), global accountancy firm

Transport for London (TfL), UK government body

Prudential Assurance Malaysia Berhad (PAMB), Malaysian insurance company

Prudential BSN Takaful Berhad (PruBSN), Malaysian takaful company

State of Missouri

1st?Source Bank, Michigan based bank

Datasite LLC, US based SaaS provider

First National Bankers Bank, US based bank services provider

GreenShield Canada, a non-profit benefits carrier

Heidelberger Druckmaschinen, German precision engineering company

Leggett and Platt, US based manufacturing firm

National Student Clearinghouse, US based educational not for profit organization

OKK, insurance company based in Switzerland

Putnam Investments, US based investment management firm

United HealthCare Services, US based health insurance firm

Shell, British multinational gas company

University of Georgia, based in Athens, Georgia

John Hopkins University and Health System, based in Baltimore, Maryland

HealthEquity, US based financial technology and business services provider

CU*Answers, US based software company

NavAXX S.A., Luxembourg based financial services company

Delaware Life, US based insurance company

Fiduciary Outsourcing, US based fiduciary retirement plan administration provider

Enzo Biochem, US based medical diagnostics firm

CareServices LLC, US based healthcare services provider

Genericon Pharma, Pharmaceutical company based in Austria

Brault, US based technology firm

A + Federal Credit Union, Texas based Credit Union

Bar Harbor Bank, US based bank

Power Financial Credit Union, South Florida based Credit Union

East West Bank, US based bank

US Department of Energy’s Waste Isolation Pilot Plant

Oak Ridge Associated Universities, based in Oak Ridge, Tennessee

Louisiana’s Office of Motor Vehicles (OMV)

Oregon Department of Transportation

Marti Group, Swiss contracting company

PRA Group, US based debt collection agency

Umpqua Bank, US based bank

University of Missouri, based in Columbia, Missouri

IC System, US based debt collection services

ARBURG, European plastics manufacturer

Boston Globe, US daily newspaper

China CITIC Bank, commercial banking company

STIWA Group, Austrian manufacturing company

Cegedim SA, French technology company

Aon, global insurance company

Nuance Communications, US based software company

Pan American Life Insurance Group, US based insurance organization

Gesa, Washington based Credit Union

Telos, US based Information Technology company

Santa Clara University, based in California

Skillsoft, US based educational technology company

Cree Lighting, US-based LED lighting manufacturer

Gen Digital, the parent company of cybersecurity brands Avast, Avira, Norton and LifeLock

Stockman Bank, Montana based community bank

Baesman, US based marketing services provider

EMSS Inc, Hawaii based IT services and IT consulting organization

CBE, construction company based in Australia

Zurich Insurance Brazil

PricewaterhouseCoopers (PWC), global accounting firm.

MS Amlin, UK based insurance operator

GUS Canada, a network of higher education institutions in Canada.

Schneider Electric, UK based energy equipment and solutions provider

Siemens Energy, energy development company based in Germany

Werum, a solution owned by Koerber Pharma

UCLA, based in Los Angeles California

AbbVie, US based pharmaceutical company.

Wilton Reassurance Company, US based life insurance agency

Proskauer, multinational law firm

Kirkland & Ellis, multinational law firm.

Kotak Life, life insurance company based in India

Starmount Life, US based life insurance company

Jackson National, US based retirement planning company

CareSource, Ohio based not for profit organization

Sapiens International, computer software company based in Israel

Enstar Group, insurance company based in Bermuda

Cognizant, multinational IT services and consulting company

Delta Dental, American network of dental insurance companies

CPIAI, Texas based insurance company

Darling Consulting Group, US based financial advisor

K&L Gates, US based law firm.

Region of Queens Municipality, Canada

IWK Health Centre, based in Halifax, Nova Scotia.

Metro Vancouver Transit Police

AOK, an association of statutory health insurers based in Germany

Verivox, German comparison-shopping website

Barmer, Berlin based health insurance company.

Verlagsgesellschaft Vogelsberg GmbH & Co, Germany based publishing company.

Encore Capital Group, US based financial services company

TrellisWare Technologies, US based telecommunications company

Hornbeck Offshore, US based maritime transport company

FIS Global, multinational financial services organization

Iron Bow Technologies, software company based in Virginia

Vericast, Texas based advertising services agency

Sovos, US based software development company

The Harrington Group, not for profit organization based in Minnesota

City National Bank of Florida

Clicks Group, South Africa based health retailer.

Allegiant Air, US based airline

US Department of Health and Human Resources

Rhenus Group, German logistics company

Digital Insight, US based software provider.

California Public Employees’ Retirement System

Genworth Financial, US based insurance company

Tennessee Consolidated Retirement System

Talcott Resolution, US based life insurance company

Teachers Insurance and Annuity Association of America

Kirkland and Ellis LLP, multinational law firm

Union Bank and Trust Company, US based privately owned state chartered commercial bank.

Vitality Group, behavioral engagement platform

Medibank Private Ltd, Australian health insurance providers

Honeywell, US based multinational conglomerate corporation

?

June 16, 2023 - Original Article

If you woke up to the news this morning, June 16, 2023, you would have heard of the massive cyberattack that is evolving and engulfing the globe:

https://www.cbsnews.com/news/us-cyberattack-impacts-government-agencies-nato-allies-breach/

Is this part of a nation-state event? Time will soon tell. In today’s blog, I will attempt to unfold what I believe are the mechanics behind this cyberattack.

In today's interconnected world, businesses face numerous cybersecurity threats that can compromise their sensitive files during transit. However, a renowned software called MOVEit has emerged as a trusted solution, offering an impenetrable fortress to safeguard confidential data. Despite its reputation, recent events have shed light on the ever-evolving nature of digital threats and the need for constant vigilance. Let's delve into the details of the MOVEit Transfer cyberattack and the implications it holds for organizations worldwide.

No alt text provided for this image

The Unveiling of a Zero-Day Vulnerability: On May 31st, the cybersecurity community was rattled by the revelation of a zero-day vulnerability exploit in MOVEit Transfer, a file transfer product developed by Ipswitch, a subsidiary of Progress. What made this discovery even more alarming was the fact that this vulnerability had been lurking for over two years, exposing organizations to potential risks. Exploiting this weakness was a notorious Russian-linked ransomware group known as CLOP Ransomware.

https://industrialcyber.co/cisa/cisa-fbi-warn-organizations-that-cl0p-ransomware-group-exploits-moveit-transfer-vulnerability/

https://www.cisa.gov/sites/default/files/2023-06/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_5.pdf

The Long-Term Exploitation Efforts: Kroll Threat Intelligence research suggests that CLOP Ransomware began experimenting with the MOVEit vulnerability as early as July 2021, seeking ways to monetize their exploit. Initially, their activities were primarily manual, involving testing access to vulnerable MOVEit Transfer clients and gathering information to identify the organizations using the software. However, by April 2022, the threat actors had adopted an automated mechanism to probe multiple organizations simultaneously and collect valuable data from them.

The Extraction of Crucial Information: Before the mass exploitation began, the attackers conducted their last round of testing activities in May. Their objective was to extract the unique "Org ID" identifier associated with each MOVEit Transfer user. This information would have enabled the attackers to categorize the organizations they could potentially access. Disturbingly, as of June 2, 2023, a Shodan query revealed that there were 2,526 publicly accessible instances of MOVEit Transfer that could potentially be vulnerable.

Organizations Caught in the Crosshairs: As the scope of the MOVEit Transfer cyberattack unfolds, Brett Callow, a cyber threat analyst with Emsisoft, indicated that there were 47 confirmed victims so far, "plus a number of as yet unidentified U.S. government agencies." He added that CLOP claimed "hundreds of organizations have been impacted. The sectors predominantly affected include government, financial services, healthcare, pharmaceuticals, and technology.

Prominent Victims and the Fallout: The victims of the MOVEit Transfer cyberattack span various industries and include renowned names such as 1st Source, First National Bankers Bank, Putnam Investments, Landal Greenparks, and Shell. Additionally, educational institutions like the University System of Georgia and prestigious companies like BBC, Aer Lingus, and British Airways also found themselves on the list of targets. And, as we have seen on today’s news, government agencies at both the local and federal levels.

The Aftermath: The repercussions of this cyberattack are far-reaching. Companies like Datasite, United Healthcare, Leggett & Platt, ?KK, and Zellis, a provider of HR and payroll software, have confirmed the compromise of their MOVEit systems. Moreover, the Government of Nova Scotia acknowledged the impact on their file-sharing infrastructure, potentially putting citizens' personal information at risk.

Continuing Fallout and Lessons Learned: As the investigation into the MOVEit Transfer cyberattack progresses, more organizations are expected to come forward as victims. The incidents at Johns Hopkins University and Ofcom serve as glaring examples of the potential damage caused by this breach. The attackers gained access to sensitive personal and financial information, demonstrating the severity of the situation.

Conclusion: The MOVEit Transfer cyberattack serves as a stark reminder that even the strongest fortresses can face unexpected disruption. The inevitability of a cyberattack on an organization can no longer be ignored. Who knows how far reaching this ransomware event will go. One thing is for certain, it’s not if but when. Bad actors like CLOP Ransomware will continue down this criminal path for a payday.

To ensure a Positive Outcome:?Every organization should have a fortified bunker to protect their critical and sensitive data from the ever-evolving tactics of sophisticated hackers like CLOP Ransomware. This bunker takes the form of an offline, physically isolated, and immutable data copy, continuously monitored by an intelligent analytics engine. This proactive approach enables us to swiftly detect and respond to any signs of compromise, safeguarding our valuable assets.

When it comes to choosing a solution, it's important not to settle for a generic or checkbox approach. According to?Gartner, the highest level of security and recovery against insider threats, ransomware, and hacking are provided by Isolated Recovery Environments (IREs) with?Immutable Data Vaults (IDVs). Dell's PowerProtect Cyber Recovery is specifically recognized by Gartner for offering IREs with IDVs. While other vendors may offer alternatives, it is crucial to consider whether their solutions truly ensure your ability to resume business operations after a sophisticated attack.

I say this time and again, organizations should never underestimate the power of preparedness and take a proactive stance against the threats that loom in today’s digital realm.


Brandon Bogue

Senior Sales Manager at Palo Alto Networks | Technology Sales & Business Development Leader | 4x Presidents Club | Data Center Infrastructure | Cloud | SaaS | Cybersecurity | Digital Transformation

1 年

I read Ron Netherland post to the beat of "I like to move it move it..." good content as always Ron!

回复
Stuart Forrest

Helping Enterprises with Cloud, Digital, IT, Workforce and Security

1 年

I think a few people will definitely be MOVE-ing-it now Ron !

要查看或添加评论,请登录

Ron Netherland的更多文章

社区洞察

其他会员也浏览了